GDPR cheat sheet for web designers (English edition)

Every web designer who builds for an EU client at some point Googles “GDPR website checklist” and gets back 14 different answers. This is the short version: 8 things every site you ship needs to handle, and 4 things you can safely ignore. Written for web designers, not lawyers.

The 8 things to handle on every EU site

1. Cookie banner, but only if you set non-essential cookies

A pure-static site with no analytics, no ads, no third-party embeds doesn't need a banner. The moment you add Google Analytics, Meta Pixel, Hotjar, or any third-party embed (YouTube, Maps, Calendly), you do.

Use a banner that requires explicit opt-in (not opt-out). Tools: Klaro (open source, recommended), Cookiebot ($10/mo per site, easiest), or roll your own with a 30-line script.

2. Privacy policy

Must list: what data is collected, why, how long it's kept, who it's shared with, user rights, contact for data requests. Use a generator (Termly, iubenda) and customize the “data collected” section per site.

3. Contact / lead form consent checkbox

Every form that collects email + sends marketing needs a separate consent checkbox: “I agree to receive marketing emails.” Don't pre-tick it. Don't bundle with terms acceptance.

4. Forms over HTTPS only

Any form with personal data (name, email, phone) must submit over HTTPS. Most hosts handle this by default in 2026; double-check the form action URL doesn't fall back to HTTP.

5. Data minimization

Don't collect fields you don't need. A contact form doesn't need date of birth. A booking form doesn't need gender. Each unnecessary field is a compliance liability and a conversion killer. The principle: collect the minimum required for the immediate purpose.

6. EU hosting (when client data is sensitive)

For dental, medical, legal, financial sites, host in the EU (Vercel EU, Netlify EU, OVH, Hetzner). Non-EU hosting requires Standard Contractual Clauses with the host - extra paperwork the client doesn't want.

For a generic local-business site (restaurant, salon, plumber), US hosting is fine as long as Vercel/Netlify have signed an SCC, which they have.

7. Right-to-erasure mechanism

Privacy policy must list a contact (email is fine) where users can request data deletion. The client handles the actual deletion when requested - just provide them with admin tools (delete-user button in their backend, or instructions for their database).

8. Cookie expiry <= 13 months

Any cookie you set should expire within 13 months at most. Most analytics tools default to longer; configure them down. Google Analytics 4 defaults to 14 months - set it to 12.

The 4 things you can safely ignore

1. The exact text of the cookie banner

The CNIL and ICO publish guidelines that change yearly. Generic “Accept All / Reject All / Customize” with a links to privacy policy is sufficient for 99% of sites. Don't over-engineer.

2. DPA agreements for tools the client uses

The client is the data controller; you're the processor. The client signs DPAs with their tools (Mailchimp, HubSpot, Stripe). You don't need to. List which tools the site uses in your handoff document and let the client's DPO/lawyer handle the rest.

3. Anonymizing IP addresses in analytics

In 2026, all major analytics tools anonymize by default (Plausible, Fathom, GA4 with IP anonymization). You don't need to manually configure this anymore.

4. Cookie-less analytics gymnastics

You don't need to deploy three different analytics setups based on consent state. Plausible or Fathom cookie-free, default on; that's the modern stack. Skip the “analytics fire only after consent” complexity.

The handoff checklist

When you ship an EU site, hand the client:

• Privacy policy (customized to their tools)
• Cookie banner config (which tools fire pre vs post consent)
• List of all third-party tools the site uses
• The contact email used for data requests
• Instructions for handling deletion requests

Bundle this as a 2-page PDF. Most clients won't read it, but it covers your liability when they ask “what about GDPR?” six months later.

French specifics (CNIL)

Adds: explicit refusal must be as easy as acceptance (one click both ways, not 5 clicks to refuse vs 1 to accept). Mentions legales page is mandatory. See the French GDPR breakdown for cold-email specifics.

UK specifics (ICO post-Brexit)

Largely identical to GDPR. UK-GDPR has minor differences in international data transfers but the website-building checklist is the same.